Description of problem: The documentation for mod_auth_kerb states that the keytab needs to be of type HTTP/<fqdn_of_www_server>@REALM. If another keytab service type is required, then you must use KrbServiceName "service", where "service" would most likely be host/<fqdn_of_www_server>@REALM. The documentation is wrong. Keytabs of service type host/ are accepted by default. Version-Release number of selected component (if applicable): How reproducible: easy Steps to Reproduce: 1.Get a keytab for the system, of 'normal' type host/ 2.In .htaccess put the proper location to krb5keytab to point to this file, also make sure krbauthrealm is properly set and krbverifykdc is set to off. 3.Put in the AuthName and require user@REALM entries in .htaccess Actual results: The user is allowed in with their kerberos credentials Expected results: Since the keytab is of type host/, and not HTTP/ as per the documentation, mod_auth_kerb shouldn't work, but it does. Additional info: Many universities(MIT for example) have a web site set up to allow you to request a keytab. Their staff has access to automated scripts, etc.., that let them create keytabs of type host/, not HTTP/. Had the documentation stated correctly that keytabs of type host/ work out of the box, much time would have been saved.
By "documentation" are you referring to the wording in the example configuration file, /etc/httpd/conf.d/auth_kerb.conf, or the README?
Woops, sorry about ambiguity. Documentation refers to 1) The README, lines 92 and 139. 2) The example /etc/httpd/conf.d/auth_kerb.conf, lines 12-13. I looked at every piece of documentation from http://modauthkerb.sourceforge.net/, and it agrees and says the same thing. Also, the code, at (unpatched 5.0-rc6 source) line 236 in mod_auth_kerb.c does a specific '... ->krb_service_name = "HTTP"'
Sorry, I'm still not clear what you're reporting. Are you saying that the documentation is wrong and should be changed to match the behaviour of the code? Or that the code is wrong and should be changed to match the documentation? I'm not sure precisely what is confusing about the README; it merely talks about the default service name. Likewise the line of code you reference merely sets the default service name, allowing the configuration to override it if desired.
Sorry, confusion definitely happens when I've yet to have coffee. The documentation is wrong. The documentation says HTTP/ _only_ works by default. I have keytab in place of type host/, and this works. I did not specify type host/ in the configuration, as the documentation says I needed to. I listed the source code only to show that even the source code says type HTTP/ is the default, and that type host/ is nowhere to be seen. This was only done to point out that I have no idea _where_ the code is allowing type host/ by default.
Documentation is sort of right... While the mod_auth_kerb system WILL work with host/ instead of HTTP/, it may create problems with certain clients. The "standard" is HTTP, so while some browsers will go in fine with a host tab only, the lack of HTTP may create problems with others. The software SHOULD be modified to match the documentation, although that would be removing a useful if "incorrect" feature. Changing the documentation will potentially cause problems elsewhere.
Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you!
Fedora Core 3 is not maintained anymore. Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the current Fedora release please reopen this bug.